Wi-Fi router with integrated touch-screen and enhanced security features

ABSTRACT

A Wi-Fi router with an integrated configuration touch-screen, and method to use this integrated touch screen to provide enhanced security features. The Wi-Fi router, which has a wired or optical network interface, may be factory pre-configured with hard to anticipate passwords and encryption codes, thus making even its default Wi-Fi settings difficult to attack. Besides displaying interactive menus on the touch-screen, the router may also generate touch sensitive dynamic alphanumeric virtual keypads to enable administrators to interact with the device without the need of extra computers or software. Inexperienced administrators secure in the knowledge that they may access and change even difficult to remember security settings at any time through the built-in touch-screen controller and simplified user interface, are encouraged to set up secure Wi-Fi systems. The device may optionally include security software that, upon touch of a button, can provide new randomized or otherwise obfuscated router settings.

FIELD OF THE INVENTION

This invention relates broadly to wireless networks, and morespecifically to security methods for Wi-Fi routers and access points.

BACKGROUND OF THE INVENTION

In recent years, local (e.g. home) Wi-Fi networks have become verypopular, and it has been estimated that as of 2011, over 200 million ofsuch Wi-Fi networks have been deployed on a worldwide basis (ParksAssociates. “Networks in the Home: Global Growth; A Report for the Wi-FiAlliance.”). These Wi-Fi networks typically consist of a factorypre-configured wireless router, which is often sold in a packageconsisting of the router, instructions, instillation software, and otheraccessories such as a power supply and cable. These packages areintended to allow unskilled users to set up the Wi-Fi system. Typicallythe instructions inform the unskilled user to first install the softwareon his or her local computer, connect the router (which may be acombination modem and router) to the local wired internet connection(often a wired DSL or cable connection, but alternatively may be a wiredEthernet connection, or even a fiber optic connection to the internet orother network of interest). The user will then interact with the programsoftware to implement the various setup instructions.

Prior art on Wi-Fi router configuration methods and devices include Liu,U.S. Pat. No. 7,496,754; Lin, U.S. Pat. No. 7,577,458; Mazur et. al., USpatent application publication 2008/0172477; Lam et. al., US patentapplication 2009/0103547, and Patel et. al., U.S. Pat. No. 7,826,463.

Although prior art routers were generally designed to be configured onlywith the aid of an external computer or computerized device, prior artrouters generally had some limited built-in display and inputcapabilities. For example, use of light emitting diodes (LEDs) to shownetwork status, along with use of a few other user input buttons builtinto the router chassis (e.g. on/off buttons, reset buttons) were known.Pham, in U.S. Pat. No. 7,675,862 taught using a liquid crystal display(LCD) (3110) along with several user input buttons (3130) mounted on therouter chassis (3100) to show the connection status for various computernetwork elements. However such limited input and output methods remainedtoo cumbersome to allow inexperienced users to easily input or changethe complex series of alphanumeric data needed to fully configurerouters.

Unfortunately, even with the aid of installation software, the averageunskilled user finds the process of installing and configuring a routerfor a Wi-Fi network to be rather intimidating. In order to be easy toconfigure, the Wi-Fi router will usually be factory pre-configured witha standard Wi-Fi identification (SSID) which is often just the name ofthe manufacturer, and will usually by factory configured with a standardadministrator password such as “admin” or “password”. Further all Wi-Fiencryption features are usually factory preset to a disabledconfiguration. Inexperienced users, who usually simply want to simplyclick “yes” to a number of default installation questions and setupparameters, often don't enable these security features. Once the Wi-Finetwork is up and running, the user will then most likely discard theinstallation software and instructions, and never want to interact withthe Wi-Fi router again.

As a result, at present the security of such “home” Wi-Fi networks isvery low, and many of these Wi-Fi networks allow an outside attacker toaccess the Wi-Fi network, and the contents of the various computersattached to that Wi-Fi network, with little or no effort. For example,in 2010, Eric Schmidt, then CEO of Google, admitted that the company'scars that had been capturing images of local buildings for the GoogleStreet View mapping application had also captured data on millions oflocal Wi-Fi networks, including samples of non-password protectedpayload data.

Unfortunately, it is also common knowledge that many local Wi-Finetworks are unsecured, and a recent poll showed that about 32 percentof all respondents admitted that they had tried to access a Wi-Finetwork that wasn't theirs.

An additional problem with present Wi-Fi network installation proceduresis that even the simple process of accepting all the default settings,and producing an unsecure Wi-Fi network, is often too complex for manyunskilled users. As a result, many perfectly good Wi-Fi units arereturned to the store, distributor, or manufacturer with a demand for arefund, causing unnecessary hassles and expense for users, stores,distributors, and manufacturers alike.

SUMMARY OF THE INVENTION

The invention is based, in part, on the insight that in order to helpaddress this problem of unsecured Wi-Fi networks, the standard processof configuring a Wi-Fi router must be significantly changed. Inparticular, the practice of factory preconfiguring Wi-Fi routers withstandard SSID identifications and administrator passwords, and with theencryption features set to disabled, must be stopped. However attemptingto do this with the present Wi-Fi router designs, with installationprocedures that require the use of outside computers and software, wouldrapidly lead to chaos.

The invention is also based, in part, upon the insight that with priorart Wi-Fi routers, a user must first establish communication with theWi-Fi router from some other computerized device, such as a home PC,laptop, or tablet computer. Establishing these communication parametersoften requires that the unskilled user not only establish a basicnetwork connection with the Wi-Fi router, which is daunting enough, butthen also requires that the user know the proper passwords andauthentication codes by which to inform the Wi-Fi router that the useris, in fact, authorized to make configuration changes in the Wi-Firouter.

In a further insight, the invention contemplates the possibility that anunskilled user's fear of altering the factory default settings may, infact, be at least partially justified or at least reasonable. Inparticular, unskilled users may reasonably believe that if he or shesomehow changes the passwords or authorization codes away from thefactory default setting, and then forgets the new settings, that routermay then be rendered subsequently unfit to use.

The invention is also based in part, on the insight that the way toimprove security on Wi-Fi networks is to modify the router itself sothat an unskilled user, without an external computer, and withoutexternal software or connections, can nonetheless easily configure thedevice to a secure setting at the time of initial installation, as wellas any later time. If the unskilled user is assured that even if therouter is mis-configured, or the new passwords and encryption codesforgotten, the router can still be easily reconfigured to a propersetting, then the unskilled user will be much more likely to properlyconfigure the router on initial setup. Thus in order to encourageunskilled users to properly configure their Wi-Fi routers, the Wi-Firouter design itself must be such that the unskilled user may alwayshave assurance that they can regain control over their router regardlessof how badly it may have been mis-configured.

Here, prior art on routers with built-in display screens, such as thepreviously discussed devices of Lin (U.S. Pat. No. 7,577,458) do not gofar enough. Lin taught a router with a built-in LCD screen that woulddisplay information potentially useful to sophisticated users, such asinformation about unauthorized users, number of users, and useridentifiers, that may indeed be useful once the Wi-Fi network isestablished, but which is relatively useless in securely configuring anew Wi-Fi network.

What is needed is a Wi-Fi router with a more comprehensive, built in,graphical user interface that is capable of both providing installationinstructions and configuration options suitable for unskilled users toeasily understand, and an ability to accept a variety of different typesof input. Here prior art router input designs, which were typicallylimited to a few buttons or keys at most, were too limited. Rather, toimplement a full-featured graphical user interface, the user must, asneeds dictate, be able to type on virtual keypads or keyboards, selectamong various icons and graphical options, and in general interact withthe router in a fluent and natural manner.

In one embodiment, the invention may be a wireless Wi-Fi router, with awired or optical network interface, an integrated touch screen, and awireless Wi-Fi output. Unlike prior art routers that use wired oroptical network interfaces, this router will have an integraltouch-screen, generally disposed on the surface of the router, alongwith an appropriate graphical user interface control microprocessor andconfiguration software. This configuration software will generallycontain a simplified user interface so that an unskilled user, either bydirect finger touch or by stylus, may easily reconfigure the status ofthe router at any time.

In an alternative embodiment, the invention may be a method of factoryconfiguring a wireless Wi-Fi router. This router will again generallycomprise a wired or optical network interface, an integrated touchscreen, and a wireless Wi-Fi output. The router will also have at leastone Wi-Fi encryption type and encryption code key, an administratorpassword, and an SSID network name. This factory configuration methodmay comprise factory configuring each individual factory manufacturedrouter with an encryption code key and an administrator password withfactory default values that are unique to each individual router. As aresult, when this wireless Wi-Fi router is at least initially installedinto a network, the default encryption code key and defaultadministrator password cannot be predicted by an outside attacker. Inorder to make the router simple enough for unskilled user oradministrator to configure, the administrator of the router may thenfurther configure the router by direct touch or stylus input onto anintegrated router control touch screen, without the need to use adifferent computerized device or external configuration software.

BRIEF DESCRIPTIONS OF THE DRAWINGS

FIG. 1 is an isometric diagrammatical illustration of a wirelessnetwork, in accordance with the present state of the art.

FIG. 2 is a functional block diagram of a computer attached to aconventional wireless router for configuration, in accordance with thepresent state of the art.

FIG. 3 is a flow diagram of the process followed by a user of thecomputer of FIG. 2 when initially setting up a wireless network with theconventional wireless router.

FIG. 4 is a flow diagram of the process followed by a user of thecomputer of FIG. 2 when subsequently re-setting up the wireless networkafter the user has forgotten or misplaced the encryption key, or haslost the original router documentation.

FIG. 5 is a functional block diagram of an exemplary embodiment of asecure Wi-Fi router, in accordance with an aspect of the presentinvention.

FIG. 6 is a diagrammatical illustration of the interfaces between an LCDtouch panel, a microcontroller, and a processor provided in the secureWi-Fi router of FIG. 5.

FIG. 7 is a diagrammatical illustration of an alternative embodiment ofa secure Wi-Fi router, in accordance with another aspect of the presentinvention.

FIG. 8 is an isometric exterior view of the Wi-Fi routers of FIGS. 5 and7, showing the router's integrated touch screen.

FIG. 9 is a flow diagram of the process followed by a user wheninitially setting up a secure Wi-Fi network with the secure Wi-Fi routerof FIG. 5 or FIG. 7.

FIG. 10 is a flow diagram of the process followed by a user of thesecure Wi-Fi router of FIG. 5 or FIG. 7 when re-configuring the secureWi-Fi network.

FIG. 11 shows an example of a router touch-screen display userinterface.

FIG. 12 shows another example of a router touch-screen display userinterface

DETAILED DESCRIPTION OF THE INVENTION

As previously discussed, the present invention is based, in part, uponthe observation that the security of a Wi-Fi router can be substantiallyimproved by avoiding the prior art convention of using a uniform defaultfactory setting. If the default factory setting is difficult to predict,then the average router will have a unique or semi-unique set ofparameters that will be difficult for an attacker to penetrate. Further,the invention is based, in part, on the observation that in order to beable to make such a non-predictable factory default setting processworkable for large numbers of unskilled users, an improved Wi-Fi routerwith an integrated touch-screen panel and easy to configure software isalso needed. Such an improved Wi-Fi router could then be easilyconfigured without the need to communicate with an external PC or laptopconfiguration device.

List of Definitions

-   1) Wi-Fi®—Typically used interchangeably with IEEE Std 802.11. The    trademark is owned by the Wi-Fi Alliance.-   2) WEP—Wired Equivalent Privacy, Original encryption standard used    in Wi-Fi networks. This encryption is used to transmit data over the    air between the various devices forming the Wi-Fi network.-   3) WPA—Wi-Fi Protected Access, an upgrade encryption standard that    provides better security than WEP.-   4) WPA2—An improvement on the WPA, with even better encryption.-   5) SSID—Service set identifier, is a name that identifies a    particular 802.11 wireless LAN.-   6) WPS—Wi-Fi Protected Setup is a standard for easy and secure    establishment of a wireless home network.-   7) Encryption Key—The code used to access a secure & encrypted Wi-Fi    network. The encryption used could be one of the many standards    supported the Wi-Fi protocol such as WEP, WPA, WPA2, etc.-   8) Public Wi-Fi Network—A loosely used term that typically refers    either to a Wi-Fi network that transmits over the air without any    encryption or a Wi-Fi network at a public place such as McDonalds,    airports, coffee shops, and so on.-   9) Unsecured Wi-Fi Network—Typically refers to a Wi-Fi network that    transmits data over the air without any encryption.-   10) Private Wi-Fi Network—Typically refers to a Wi-Fi network that    is inaccessible without an encryption key for this network.-   11) Wi-Fi Router—Typically refers to a single device that has a    built-in Wi-Fi access point and an Ethernet switch.-   12) Wi-Fi Access Point (AP)—Only a Wi-Fi Access point without a    switch.

A conventional wireless fidelity (Wi-Fi) network (10), shown in FIG. 1,may include a Wi-Fi router (11) operating in accordance with IEEEStandard 802.11. The router (11) typically includes a built-in Wi-Fiaccess point and at least one Ethernet switch. The router (11) istypically connected to the Internet (13) or other network via a physical(wire or optical fiber) digital subscriber line (DSL) cable modem,optical fiber (15), or other Internet delivery technology and provides agreater level of convenience for a user than would a corresponding wirednetwork (not shown).

Once the Wi-Fi network (10) has been properly set up and configured, theuser is free to locate one or more of a desktop computer (21) with abuilt-in or external Wi-Fi card (not shown), a laptop computer (23) witha built-in or an external Wi-Fi card (not shown), or other wirelessdevices (25), (27) essentially anywhere within the coverage area of theWi-Fi network (10). This configuration allows the user to transfer data,audio and video files, for example, without being encumbered by networkEthernet connections. Thus, installation of the wireless networkeliminates the need for the expensive network cabling for an EthernetLAN.

However, unlike wired transmissions, wireless transmissions are notphysically bounded. Rather they can travel for hundreds or eventhousands of feet beyond the walls of the user's building. Thus anunscrupulous individual can use electronic surveillance equipment oreven just another wireless computer to capture the user's transmissions,and obtain access to the user's information and computers.

A typical Wi-Fi access point or router is configured to allow anadministrator to manage the Wi-Fi network through a specialadministrative account. An administrative account may provide complete,“super-user” access to the configuration utilities in the router (11)via a special username and password. In the present state of the art,both the account username and password for a conventional router are setat the factory by the manufacturer. The username is often simply theterm ‘admin’ or ‘administrator.’ The password is typically empty (i.e.,a blank field), or a simple term such as ‘admin,’ ‘public,’ or‘password.’

Moreover, the default passwords for popular models of wireless networkgear are well-known to hackers, and are easily found on the Internet.From a security standpoint, the user of a Wi-Fi network would bewell-advised to improve the security of the newly-installed network bychanging the simple, factory-set administrative password in the routerto a strong password immediately upon initial installation. Even better,the user should also change the administrative username, however aspreviously discussed, often this doesn't happen.

Besides the administrator account described above, Wi-Fi routers alsoprovide various kinds of encryptions for the data being transmitted andreceived “over the air.” These encryption methods have a key or passkey(that is different from the above administrator password). Most state ofthe art wireless routers give users the option of leaving their Wi-Finetwork unencrypted or the ability to use one of the many supportedencryption standards. Again, however, far too often this encryptionmethod is turned off, rendering the transmissions easy to read byunskilled attackers using standard computer equipment.

The present invention addresses the above problems by providing to theuser an easy to configure router, with a built-in touch screen oftendisplaying a graphical user interface with simple setup instructions,which also have a difficult to guess or hack set of security settings.These security settings can include a difficult to guess password,encryption key, and optionally an automatic method of setting the routerto a secure setting.

FIG. 2 shows how a prior art wireless router (10) can be configured inaccordance with IEEE Standard 802.11. In the present state of the art,such Wi-Fi routers are usually factory configured and shipped with nodefault security (i.e. the default security options are turned off). Theusers, who are often quite inexperienced, thus need to manually enablevarious router security functions when the device is turned on for thefirst time. Generally, with prior art devices, the user initiatessecurity configuration by first attaching an external computerizeddevice (23) that is running a web browser, and logging into the router'sadministrative console (not shown) through this web browser, using therouter's current (factory default) password and username. In the exampleprovided, the router (11) may have a fixed default login and apre-established password for an administrative account in the programmemory module. Then, the user needs to use an external computerizeddevice (23), often connected to the prior art router (11) by a wiredEthernet cable (55) to navigate to the appropriate administration orsecurity section where the password setting and other setup parameterscan be changed.

Thus using prior art configuration methods, the router password can bechanged by following the “out of box” setup instructions similar to thatshown in FIG. 3, flow diagram 60. These setup instructions typicallyinstruct the user to power on the wireless router (10) at step (61), andconnect the router to an external computer (23) via an Ethernet cable(55) at step (63). This external computer (23) must generally be set tothe same subnet as the wireless router (30), at step (65). A typicalsubnet address is a multiple digit series of numbers such as“192.168.1.x” The user opens a web browser running on the externalcomputer (23), and directs this web browser to the default page (IPaddress) of the wireless router (10), at step (67). A typical defaultpage may have the IP address “192.168.1.1”.

The user may then reconfigure the various operating parameters forrouter (11) by using his or her external computer (23) to enter anadministrator account user name and the correct password, at step (69),thus allowing access to a configuration page. In theory, at this point,step (71), the user should elect to change the administrative password,for better security. Ideally a suitable password, specified by the user,may be based on the standard guidelines for strong password security. Inpractice, many inexperienced users, terrified that if they forget thispassword, the device will become useless, instead often continue toselect the factory default password (often “admin” or “password”).

Inexperienced users often forget to configure other important securitysteps as well. For example, many Wi-Fi routers ship with a feature knownas MAC address filtering, which is normally “turned off” by themanufacturer before shipment. Ideally a user should also enable MACaddress filtering to improve the security of a Wi-Fi LAN, but againoften this doesn't occur.

Still later, at another frequently skipped step (73) the user can setthe router encryption type and the encryption key. After completion ofthis step, the user should in theory verify that the wireless router(10) is Wi-Fi network ready, and continue on. In practice, manyinexperienced users, who may never have even able to establishcommunication with the router using their external computer (23) in thefirst place will have by this time rendered their router useless or havegiven up altogether.

Manufacturers often produce routers with a variety of different Wi-Fiencryption algorithms including wired equivalent privacy (WEP) or Wi-FiProtected Access (WPA or WPA2) to improve security. WEP, WPA and WPA2are encryption standards, chosen by the IEEE 802.11 standards committee,to scramble or encrypt network traffic mathematically. WPA providesstronger encryption than WEP and WPA2 provides even stronger encryptionthan WPA. As WEP, WPA and WPA2 are features that can be turned “on” or“off” in the router (11), the user should ideally also ensure thateither WEP or WPA is properly configured when the wireless network isset up. In practice, this also doesn't happen, leaving the Wi-Fi networkwide-open for anyone to come by and snoop on the system.

As can be appreciated, this is not a simple procedure for the averageuser, and consequently, such users may not be motivated to make thenecessary security changes to their router and wireless network.Moreover, if the user forgets their administrative password, or nolonger has the original documentation that was provided with thewireless router (11), the process of restoring the wireless network to asecure state is not very easy. As illustrated in FIG. 4, block diagram80, after a user has powered up the unsecure router (11), at step (81),it usually becomes necessary to call either technical support for therouter (11), or to search the Internet for advice, or contact atechnically-savvy friend (83). If one such information source is notsatisfactory to the user, at decision block (85), it could be afrustrating experience for the end user and leave the user with a routerthat can no longer be used effectively.

If the user is successful in obtaining information, the next step takenis usually to select the option of resetting the wireless router (11) tothe factory default settings, at step (87). This may be accomplished bydepressing a reset button, or equivalent, on the router (11) to restorethe factory settings, at step (89). If the reset action is successful,the user may proceed to follow steps (63) through step (73) of the flowdiagram (60), to step (91) of the flow diagram (80). The wireless router(11) is verified to be Wi-Fi network ready, at step (93).

Although certain automated wizards may be provided to somewhat simplifythis task, these automated wizards also run on external computers (23),and the software to run them is frequently out of date or deleted.

Improved Routers with Built-in Touch Sensitive Display Screens.

As previously discussed, the invention's improved router devices androuter configuration methods are based upon an improved router designthat uses a built-in touch-sensitive display screen to simplify manyaspects of the router configuration process, particularly for unskilledusers. A diagram of one embodiment of such a router with a built-intouch sensitive display screen is shown in FIG. 5.

Most of the innovation in the present invention is focused on therouter's built-in touch sensitive display screen, user interface,security software, and factory configuration methods. However for thesake of completeness, the other elements of the router will also bedescribed.

In one embodiment, such a router (100) with a built-in, touch sensitive,display screen (131) may be fabricated using a commercially availableWi-Fi router system-on-a-chip (SoC) device (110), such as the RT3052AP/router SOC available from Ralink Technology Corp., Cupertino, Calif.Many other Wi-Fi electronics devices may, of course, also be used, suchas a combination of the AR7240 Processor and the AR9285MAC/Baseband/Radio (both available from Atheros Communications, SanJose, Calif.) or other Wi-Fi electronics. The Wi-Fi router (100) mayinclude a processor such as a MIPS processor (101) (or other processordesign, but here MIPS processors operating in accordance with a MIPSinstruction set architecture will be used as a specific example). In anexemplary embodiment, the MIPS processor (101) may have a clock rate ofabout 384 MHz, and functions to provide control to the router (100) viaa 128 MHz CPU bus (103). Other processor types, clock rates, andprocessor or communication methods and buses may also be used.

The Wi-Fi router (100) may provide conventional wired output to an RJ45port (105) via a fast Ethernet switch (107) on the CPU bus (103), and toan optional USB port (not shown), via a universal serial bus on the go(USB OTG) module (111) or other device. Operation of the Ethernet switch(107) and the USB OTG module (111) may be controlled by the MIPSprocessor (101) via the CPU bus (103). This router may use a wirelessLAN network media access controller (MAC) device to provide packettransmission to the user via an RF front end and antenna module. Thisrouter may also support a universal asynchronous receiver/transmitter(UART) interface to enable serial communication with a serial consoleport.

In some embodiments, the MIPS processor, the UART module, the USBmodule, MAC, and fast Ethernet Switch, part of the Front End and the RAMcontroller may be provided on a single router chip, and such routerchips may be used to provide at least a component of the presentinvention as well.

The Wi-Fi router (100) may also include a RAM controller (113) forproviding access to a memory module (115). In an exemplary embodiment,the memory module (115) comprises a flash memory, a static random accessmemory (SRAM), or a synchronous dynamic random access memory (SDRAM).

Although in prior art routers were generally configured with memorymodules that contained the same factory preset passwords and otherfactory default information, according to the invention, this standardpractice may be modified or abandoned. Rather, the factory willgenerally have equipment capable of assigning unique passwords, securitycodes, and other critical setup information that is generally differentbetween different routers, and designed so that it will be difficult foran attacker, even knowing the manufacturer name and model number of themodem, to guess or anticipate.

These “hard to anticipate” factory assigned passwords and security codesneed not be totally random, although they may be. The goal is simply tobe difficult to guess. Thus even sub-optimal passwords, such as thoseproduced by a random combination of two shorter common words, may beused in this factory configuration process, and this will still be agreat improvement over the prior use of uniform passwords. Alternativelytotally random passwords and other encryption codes may be used.

Thus the invention router's memory module (115) will generally include adefault (factory preset) password designed to be difficult for anattacker to anticipate. Using a randomly generated password as aspecific example, this factory preset unique, randomly generated login,password (117) can be either printed on a label that can be attached tothe outside of the router, and digitally stored in the memory of memorymodule (115) during a manufacturing step in the fabrication of the Wi-Firouter (100). This way when the router is first turned on, it canretrieve these hard to anticipate passwords and encryption algorithms,and start up in a secure configuration from the moment that the deviceis first powered on.

As previously discussed, the invention's router will additionallycontain a touch-sensitive display screen (131), capable of directlyshowing the router's settings and other easy to use configurationoptions, that can be directly accessed by the user without the use ofany additional outside computer or software. This display will helpreassure the user that it is safe to enter in even difficult to rememberpasswords and encryption settings, because the user will know that atthe touch of a button, the router will display these options to theuser. The electronics and software behind this touch sensitive displaywill be discussed in more detail shortly.

In general, most Wi-Fi routers are kept in a secure environment where auser has an expectation of privacy. In these situations, the router'sbuilt-in, touch-sensitive, display screen may at least initially be setto display the router's passwords and encryption settings to any and allindividuals who have physical access to the router. Often the factorysetting of the invention's router, although making it difficult foroutside attackers to gain access through use of hard to predictpasswords and encryption codes, may still be very trusting with regardsto physical access to the router. This will make it easy forinexperienced users to at least make it difficult for outside attackersto gain access to the Wi-Fi network. However the user interface of therouter may also be designed to enable the router administrator to laterpassword protect the router's touch-sensitive display screen as well.Thus, for example, a user who anticipates that the router itself may beaccessed by unauthorized individuals may elect to password protect therouter's own graphical user interface by either a password or even abiometric sensor such as a fingerprint sensor.

To help guard against inexperienced users who want to override therouter's default hard to anticipate security settings with passwords andencryption codes that are too easy to guess, the router control softwarecan be designed to warn against such changes. For example, in someembodiments, the memory module (115) may also store a list of “popularpasswords” and logins. A user attempting to use any of the popularpasswords in place of the unique, randomly generated, login password(117) will be admonished by the router system software, and beencouraged or even required to use a stronger password. This “toopopular” or “easy to anticipate” password list may be remotely updatedwhen the user updates firmware for the Wi-Fi router (100).

Like other Wi-Fi routers, here a wireless LAN network media accesscontroller (MAC) (119), may be used to provide packet transmission tothe user, in conformance with IEEE STD 802.11n, via an RF front end andantenna module (121). Note that with the possible exception of theantenna itself, the RF front end is essentially the electronic radiocircuitry for a wireless Wi-Fi transceiver.

Operation of the wireless MAC (119) and the RAM controller (113) may becontrolled by the MIPS processor (101) via the CPU bus (103).

In some embodiments, the memory module (115) may also include a securityapplication program (123) which may be configured to executeautomatically when the user first initiates the Wi-Fi router (100). TheWi-Fi router security application program (123) may include a unique,randomly-generated service set identifier (SSID) and encryption key. Theencryption key would conform to WEP, WPA, WPA2, or other Wi-Ficompatible encryption, and would be configured during manufacturing ofthe Wi-Fi router (100). In some embodiments, the login password (117),the SSID, and the encryption key information may be provided as aprinted, permanent label attached to the Wi-Fi router (100) during thetime of manufacturing.

The touch sensitive display screen (131) may interface with the routerelectronics by various methods. Although there is no inherent reason whythe “MIPS” processor (101) cannot also be used to power the touchsensitive display screen (131) and user interface software, often it maybe convenient to devote processor (101) for the routine Wi-Fiactivities, and instead off-load the task of running the display screen(131) and associated user interface software to a second processor ormicrocontroller (130). This second processor or microcontroller can be adedicated or partially dedicated microprocessor that runs the displayscreen (131), runs user interface software, and which then connects tothe rest of the modem electronics by an interface, such as a serialinterface, thus somewhat mimicking the functionality of a separatecomputer and network connection, but as a unitized part of the routerdevice.

Using the dedicated processor (130) and serial interface as a specificexample, in one embodiment, serial communications for the Wi-Fi router(100) may be provided by a UART interface (125) and a GPIO interface(127). The Wi-Fi router (100) offloads the task of running the userinterface and display screen (131) to a second processor ormicrocontroller. Here many processors and microcontroller types may beused. One suitable microcontroller type is the PIC family ofmicrocontrollers, produced by Microchip Technology Inc., Chandler Ariz.,and this family of microcontrollers will be used as a specific examplehere.

In this specific example, a PIC microcontroller (130) may, for example,comprise a PIC 16F887 chip. Here the microcontroller may communicatewith the other devices through a serial communication interfaceconfigured as a full-duplex asynchronous system, or other method. Themicrocontroller (130) Communication between the UART interface (125),the GPIO interface (127), and the microcontroller (130) may be providedalong a communication protocol (135).

The microcontroller (130) interfaces with a touch-sensitive displayscreen, such as an LCD touch panel (131) for enabling the user to changedefault security settings in the Wi-Fi router (100), as described ingreater detail below. Communication between the microcontroller (130)and the LCD touch panel (131) may be provided along a microcontrollerbus (133). The LCD touch panel (131) may be configured to displayvarious types of user interfaces and instructions. For example, whendata entry is required, the system software may generate a dynamic,software-driven keypad (shown in FIG. 7) to enable direct data entry bythe user.

Although LCD based touch sensitive display screens or touch panels (131)are occasionally used here as a specific example, other types of touchsensitive display screens may, of course, also be used. In analternative embodiment, a thin-film transistor (TFT) touch panel may beused comprising a touch screen component aligned over a TFT displaycomponent.

As shown in the diagram of FIG. 6, communication between the MIPSprocessor (101) and the microcontroller (130) may comprise acommunication protocol (135) in accordance with any one or moreinterfaces, such as serial peripheral interface (SPI), GPIO, inter ICcommunication (I2C), UART, joint test action group (JTAG), inter ICsound (I2S), or other interfaces. In an exemplary embodiment, thehardware interface may use one of the above-listed communicationinterface standards. Communication between the microcontroller (130) andthe touch sensitive display screen/LCD touch panel (131) may includehardware signals (137) to drive the display and the display drivers, aswell as hardware signals to sense the feedback provided by the user atthe touch surface.

Various types of security configuration software (300) may be used todrive the user interface, configure the modem's various securitysettings, and interact with the user though the touch sensitive displayscreen (131). This security configuration software directs themicrocontroller (130) to send hardware signals (137) to display panel(131) with various display setup and password directions.

The user can then accept the factory default password and encryptioncodes by entering in the appropriate commands (139) back on the displaypanel (131), or alternatively change these password and encryptioncodes.

The security configuration software (300), working with processor ormicrocontroller (130) will then receive hardware signals (137) from thetouch panel (131) with this user information (139), process the userdata, into commands understood by the MIPS processor (101), transmittedto the MIPS processor over interface (135), and the MIPS (101) processorin turn can change the settings of the Wi-Fi router (100).

For example, assume that the user has decided that he or she wants tochange the router password or encryption code, and has pressed a virtualbutton on the display screen (131) indicating a desire to interact withthe device via a virtual keypad. In this case, security configurationsoftware (300) working with microcontroller (130) can generate adynamic, software driven keypad on display panel (131). This is shown inFIG. 7.

In FIG. 7, the microcontroller (130), working with securityconfiguration software (300), may function to place the LCD touch panel(131) into an input mode or into a display mode. In the input mode, theLCD touch panel (131) provides an input screen (161) that may includeone or more entry fields and or a virtual keypad (163), to enable theuser to, for example, enter a randomly-generated administrative password(117) or other hard to guess password.

In the display mode, the LCD touch panel (131) may provide a displayscreen (161) that may provide information to the user such as, forexample, an SSID (167) or an encryption key.

This information may be passed by microcontroller (130) via a link, suchas a serial link to a UART or other input device to a Wi-Fi router chipassembly or circuit board (150). This chip assembly may, in turn,comprise other components such as a bridge/router processor (151) forcommunication with the microcontroller via an interface (169), whichagain may be a standard communications interface such as a I2C, SP1,I2S, USB, or other standard. In an exemplary embodiment, thebridge/router processor (151) may comprise a Ralink TC3162U chipset. Thebridge/router processor (151) may further be in communication with aWi-Fi chipset 153, such as a Rallink RT3390.

A wireless link may be provided to the bridge/router processor (151) byan analog front end (155,) such as the chipset TC3086 manufactured byRalink. The bridge/router processor (151) may also be in communicationwith a fast Ethernet switch (157), which may be a Ralink TC2206 chipset.Preferably, the secure Wi-Fi router chip assembly (150) also comprises amemory module (159), such as a flash memory, an SRAM memory, or an SDRAMmemory. Other configurations may also be used.

FIG. 8 shows a diagram showing one potential exterior appearance of theinvention's Wi-Fi router with an integrated touch screen (100). Aspreviously discussed, generally the touch screen (131) will be made anintegral part of the router unit housing (181), and may, for example, beplaced (secured) either on an easy to access portion of the unit, suchas the side or top part of the housing (181) as shown, or alternativelymay be placed in a less easy to access portion of the unit as desired.Here some other router components, such as optional exterior antennas(182), optional USB inputs or outputs (183), optional Ethernet jackinputs and outputs (184), optional reset button (185), optional powerjack (186), optional LED indicators (187) and optional WAN Port(s)(188), which may typically connect to a DSL/Cable/or Fiber networkoutlet are also shown.

The housing (181) may be fabricated from a durable material, such as ahigh-density plastic, capable of withstanding normal wear and tear. Inan exemplary embodiment, the Wi-Fi router assembly (100) may be providedwith a Wi-Fi repeater (not shown) to extend the range of the networkserved by the Wi-Fi router assembly (100).

Setup and operation of the secure Wi-Fi router (100) can be explainedwith further reference to a flow diagram (200), shown in FIG. 9. TheWi-Fi router (100) may be powered on, at step (201), and show an initialconfiguration scheme (shown in FIG. 11). Using the LCD touch panel, atstep (203), the user may confirm or change (set) the SSID of the Wi-Firouter (100) as well as the router encryption type and the routerencryption key (shown in FIG. 11). At step (205), the user may verifythat the Wi-Fi router (100) is Wi-Fi network ready. The user mayoptionally be notified if new users or devices are connected to thenetwork served by the secure Wi-Fi router (100). This notification maybe accomplished, for example, by a message sent to the user's cell phonevia a short message service (SMS) as well-known in the art. If desired,the user can access the LCD touch panel (131) to assign short names todevices on the network, in place of identifying these devices by theircorresponding MAC addresses.

FIG. 10 shows that if the user later needs to re-configure the Wi-Firouter (100), but has forgotten or misplaced the encryption key, thereconfiguration may be initiated by powering on the Wi-Fi router (100),at step (211). Using the LCD touch panel (131), the user may select a“lost encryption key” option, at step (213). The user may then select a“setup new SSID and new encryption key” for the router (100), at step(215). At step (217), the user verifies that the Wi-Fi router (100) isWi-Fi network ready. If the user has simply forgotten the Wi-Fi securitysettings, the user may simply request the display (131) to show thesettings again (optionally entering in a display access password first).

FIG. 11 shows an example of an initial router setup user interface thatmight be displayed on display (131). In this example, on initial setup,the router provides the user with a variety of menu options, such as therouter SSID (310), DSL/Cable Login identifier (312), the router passwordkey (314), router network settings parameters (316), router operationmode (e.g. IEEE 802.11n, 802.11g, 802.11b setting) (318), and a helpscreen (320). Alternatively the initial router display may be made evensimpler, and may show graphics and even animations or videos showing howthe user may set up the device. Because the display (131) is atouch-sensitive display, the user need only touch on the appropriatebox, icon, graphics or other portion of the display in order to set upthe router.

FIG. 12 shows an example of how the user may use the touch screendisplay (131) to set or reset the router SSID identification. Assumehere that to reach this particular user interface, the user hadpreviously touched the SSID setup box (310) using the screen previouslyshown in FIG. 11. Upon touching this box (310), the router is nowshowing FIG. 12 on display (131). In this example, the router is showingthe current or default SSID number (322). The display (131) alsopresents the user with a “change” button (324), and is also displaying avirtual keyboard or virtual keypad (326) where the user may type and putin changes. For simplicity, the virtual keys on this virtual keyboard orvirtual keypad (326) are mapped to alphabets. Alternate virtual keyboardlayouts may be generated where the virtual keys are mapped to numeric orother special characters. Thus the user may enter in a new SSIDidentification (often as a series of alphanumeric characters) on (326)and then press the change button (324). Additionally there may be otherelements, such as a return to the previous page button, home button,cancel button, as well as other graphical elements or control elements(not shown).

Many of the specific details of certain embodiments of the invention areset forth in the above description and related drawings to provide athorough understanding of such embodiments. One skilled in the art willunderstand, however, that the present invention may be practiced withoutseveral of the details described in the above description. Moreover, inthe description, it is understood that the figures related to thevarious embodiments are not to be interpreted as conveying any specificor relative physical dimension.

The invention claimed is:
 1. A method of configuring a wireless router,said router comprising a wired or optical network interface, anintegrated touch screen, and a wireless output, said router havingsecurity parameters, said method comprising: configuring said securityparameters with default values that are unique to each individualrouter; wherein when said wireless router is at least initiallyinstalled into a network, the default security parameters cannot bepredicted by an outside attacker; and wherein the administrator of saidrouter may then further configure the parameters of said router bydirect touch or stylus input onto said integrated touch screen withoutthe need to use a different computerized device.
 2. The method of claim1, wherein the said router confirms to IEEE 802.11 WiFi standards. 3.The method of claim 1, in which said default security parameters arerandomly generated at a factory.
 4. The method of claim 1, in which saiddefault security parameters are randomly generated on either initialsetup or later setup by router security configuration software.
 5. Themethod of claim 1, in which the router has an Internet Protocol (IP)address, and the administrator may further configure the IP address ofsaid router using said integrated touch screen.
 6. The method of claim1, wherein said security parameters comprise one or more parametersselected from the group consisting of Wi-Fi encryption type, Wi-Fiencryption code key, an administrator password, and a Service SetIdentifier (SSID).
 7. The method of claim 1, wherein said configurationparameters comprise DSL/Cable/Fiber login and password that enableconnection to the respective DSL/Cable/Fiber modem through the saidwired interface.
 8. The method of claim 1, wherein said router has anintegrated DSL/Cable/Fiber chipset that enables the said router toconnect directly to an analog wired interface of a DSL/Cable/Fiberwithout the need for an additional DSL/Cable/Fiber modem.
 9. The methodof claim 1, further using a router integrated microprocessor ormicrocontroller and embedded router security configuration software todisplay router configuration instructions on said integrated touchscreen, prompting for user input on said integrated touch screen, andusing parameters entered by said user input on said integrated touchscreen to configure said parameters.
 10. The method of claim 9, furthergenerating a virtual keypad or virtual keyboard on said integrated touchscreen, and receiving user input which is numeric or alphabetic oralphanumeric using said virtual keypad or virtual keyboard.
 11. Themethod of claim 9, further displaying non-text graphical images on saidintegrated touch screen, and receiving user input by detecting usertouch commands on said non-text graphical images.
 12. The method ofclaim 9, in which said security configuration software compares saiduser entered security parameters against a list of common or potentiallycompromised security parameters, and warns the user if the user attemptsenter in a security parameter that appears on said list.
 13. A method ofconfiguring a wireless router, said router comprising a wired or opticalnetwork interface, an integrated touch screen, and a wireless Wi-Fioutput, said router having security parameters, said method comprising:configuring said security parameters with default values that are uniqueto each individual router; wherein when said wireless router is at leastinitially installed into a network, the default security parameterscannot be predicted by an outside attacker; using a router integratedmicroprocessor or microcontroller and embedded router securityconfiguration software to display router configuration instructions onsaid integrated touch screen, prompting for user input on saidintegrated touch screen, and using parameters entered by said user inputon said integrated touch screen to configure said security parameters;displaying a mix of text and non-text graphical images on saidintegrated touch screen, and receiving user input by detecting usertouch commands on either said text or non-text graphical images; andwherein the administrator of said router may then further configure thesecurity parameters of said router by direct touch or stylus input ontosaid integrated touch screen without the need to use a differentcomputerized device.
 14. The method of claim 13, wherein the said routerconfirms to IEEE 802.11 WiFi standards.
 15. The method of claim 13, inwhich said default security parameters are generated at a factory. 16.The method of claim 13, in which said default security parameters arerandomly generated on either initial setup or later setup by routersecurity configuration software.
 17. The method of claim 13, whereinsaid security parameters comprise one or more parameters selected fromthe group consisting of Wi-Fi encryption type, Wi-Fi encryption codekey, an administrator password, and an SSID network name.
 18. The methodof claim 13, further generating a virtual keypad or virtual keyboard onsaid integrated touch screen, and receiving user input which is numericor alphabetic or alphanumeric using said virtual keypad or virtualkeyboard.